Provide a source distribution for non-binary builds

[dmwelch]

I'm trying to install Chalice in a Docker container (python:3.9.13-buster) without binary packages because binaries are a security issue in our system (especially with packages that record keystrokes! 😨 ).

I'm running the command below that leads me to believe there is not a source distribution available in Pypi.

pip install -r /app/requirements.txt --no-binary :all:

returns an error:

Collecting readchar==3.0.5
  Downloading readchar-3.0.5.tar.gz (6.2 kB)
  Preparing metadata (setup.py) ... done
  WARNING: Requested readchar==3.0.5 from https://files.pythonhosted.org/packages/8d/ff/33df88cee8ab693302288fc7d2983e561bf7d78439b844407c976d52fa73/readchar-3.0.5.tar.gz#sha256=d1f5b71e98c37b7f3b695fba9db978ab84f4f8a0ed879653d83e1d90a4c482c0 (from -r /app/requirements.txt (line 85)), but installing version 2.0.1
Discarding https://files.pythonhosted.org/packages/8d/ff/33df88cee8ab693302288fc7d2983e561bf7d78439b844407c976d52fa73/readchar-3.0.5.tar.gz#sha256=d1f5b71e98c37b7f3b695fba9db978ab84f4f8a0ed879653d83e1d90a4c482c0 (from https://pypi.org/simple/readchar/): Requested readchar==3.0.5 from https://files.pythonhosted.org/packages/8d/ff/33df88cee8ab693302288fc7d2983e561bf7d78439b844407c976d52fa73/readchar-3.0.5.tar.gz#sha256=d1f5b71e98c37b7f3b695fba9db978ab84f4f8a0ed879653d83e1d90a4c482c0 (from -r /app/requirements.txt (line 85)) has inconsistent version: filename has '3.0.5', but metadata has '2.0.1'
ERROR: Could not find a version that satisfies the requirement readchar==3.0.5 (from versions: 0.2-test1, 0.2-test1.linux-i686, 0.2-test2, 0.2-test2.linux-i686, 0.2.linux-i686, 0.0.8, 0.0.9, 0.2rc0, 0.2, 0.3, 0.4, 0.5, 0.6, 0.7, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5)
ERROR: No matching distribution found for readchar==3.0.5
WARNING: You are using pip version 22.0.4; however, version 22.1.2 is available.
You should consider upgrading via the '/usr/local/bin/python -m pip install --upgrade pip' command.

Running the same command without --no-binary :all: succeeds in the installation (in a fresh container).

[Cube707]

First of all, the latest version 3.0.5 is very broken and I would avoid using it. (see #76)

To your specifiv problem: There are source distrobutions, but the metadata is unclean on most versions of this project. The sourcefiles have there version listed as 2.0.1 even if thay are for a much more recent version. See the setup.py file inside readchar-3.0.5.tar.gz, it lists the wrong version on line 10:

version = "2.0.1"

To work aroung this untill the maintaner comes back and addresses all the open issues you have multiple options:

• extend the setup-script of your container: manually donwload the tarball, extract it, change the wrong line, and than install from the local folder
• fork the repo yourself, create a patched version of the sourcefiles that meets your needs and install from there
• use my fork (by adding git+https://github.com/Cube707/python-readchar.git@v3.0.6 to your requirements.txt). This will hoverever only exist untill the code is merged into the main project.

[Cube707]

this is fixed with the new releaseworkflow for v4.0.0. It is currently in pre-release but will be fully released shortly.